IT Security Label from the BSI

The IT security label is a label awarded by the German Federal Office for Information Security (BSI) for products or services. It serves as proof and guarantee that the product or service complies with the applicable IT security requirements. In order to receive the label, the manufacturer must prove that their product or service meets all the necessary security requirements and confirm this with a manufacturer's declaration. Applying for the IT security label is voluntary and can only be done within the product categories defined by the BSI.

This means that manufacturers of IT products or services can decide for themselves whether or not they wish to apply for the IT security label. However, it is only possible to obtain certification for certain product categories defined by the BSI. These categories are based on the applicable IT security requirements and include, for example, firewalls, antivirus software or cloud services.

In order to obtain the IT security mark, manufacturers must carry out a complete test of their product or service and prove that all required IT security requirements are met. This takes the form of a manufacturer's declaration in which the manufacturer confirms that its product or service complies with the applicable security standards. Testing and certification is carried out by independent test centers accredited by the BSI.

The following five steps must be followed to obtain the certificate:

1. Conformity Check

Before you apply for the IT security mark, it is important that you as a manufacturer or service provider first carry out a thorough check of your product. This involves checking whether your product meets all the relevant IT security requirements that are necessary for the award of the label.

You can either carry out this check yourself or you can obtain support from a conformity assessment body. These bodies specialize in checking and confirming the conformity of products with certain requirements. You can select a conformity assessment body of your choice and commission them to check the safety of your products.

Once you have confirmed the conformity of your product with the IT security requirements, you can submit the application for the IT security mark.

2. Application

As soon as your IT products or services have successfully undergone a conformity check, nothing stands in the way of your application for the coveted IT security label. You can easily use the federal portal and submit the application.

Please note, however, that an administrative fee is charged for processing the applications, regardless of whether the application is approved or rejected. We therefore recommend that you contact us before submitting your application and clarify any open questions regarding the application for an IT security label.

3. Performance of a plausibility check by the BSI

As soon as you have submitted this application, the BSI will check your application and your manufacturer's declaration for completeness and plausibility. It will check whether all the necessary information and documents are available and whether your information is credible.

If a certificate has already been issued for your product in accordance with Section 9 BSIG or a recognized foreign state mark in accordance with Section 6 (2) BSI-ITSiKV, a simplified test procedure can be carried out without a plausibility check. This means that the BSI has already checked and confirmed the security requirements for your product and therefore no further plausibility check is necessary.

4. Award of the IT security label

After your application for the use of the IT security label has been positively reviewed by the BSI, you will receive a notice granting you authorization to use the corresponding label for a certain period of time. In addition to the notification, you will receive an IT security label specially made for your product, which you can affix to your product and its packaging or to the website for services. You can find more detailed instructions on the correct use of the IT security label in the label regulations.

When the IT security mark is issued, the BSI also creates a product information page which serves to inform consumers about your product and the manufacturer's declaration you have issued. This page is accessible via a permanent link, which is also an integral part of the label as a QR code.

5. After approval: A look at downstream market surveillance

During the entire term of the label, the market surveillance authority of the Federal Office for Information Security (BSI) checks whether the IT security features of a product promised in the manufacturer's declaration are actually fulfilled.

This review is carried out both regularly and without specific cause and also specifically on the basis of information or complaints. The conformity of the labeled product with the underlying IT security requirements of the respective product category is closely scrutinized. This means that not only do the basic security requirements apply to all products, but specific requirements are also taken into account depending on the product type.

These comprehensive checks ensure that the products bearing the IT security label actually fulfill the promised security features. This is particularly important as IT products are playing an increasingly important role in our daily lives these days.

Conclusion

The IT security mark is a voluntary label for IT products that offers manufacturers the opportunity to make the security features of their products recognizable by means of a BSI mark. This enables them to meet consumers' increasing need for information and to highlight their product on the market. IT security is used as a sales argument.

Manufacturers declare that their product has certain security features that are based on established IT security standards and have been recognized by the BSI. These standards claim to take security into account as early as the product development stage and to guarantee the general objectives of information security.

The IT security mark is based on a manufacturer's declaration of conformity of the product with a standard. The BSI checks this declaration for completeness and plausibility, but does not carry out a technical content check.